Docket No.: 08223/000S102-US0 
(PATENT) 

IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re Letters Patent of: 
Brad KoUmyer et al. 

Patent No.: 7,165,175 

Issued: January 16, 2007 

For: APPARATUS, SYSTEM AND METHOD FOR 
SELECTIVELY ENCRYPTING DIFFERENT 
PORTIONS OF DATA SENT OVER A 

NETWORK 



REQUEST FOR CERTIFICATE OF CORRECTION 
PURSUANT TO 37 CFR 1.323 AND 1.322 

Attention: Certificate of Correction Branch 

Commissioner for Patents 

P.O. Box 1450 

Alexandria, VA 22313-1450 

Dear Sir: 

Upon reviewing the above-identified patent. Patentee noted typographical errors which 
should be corrected. A hsting of the errors to be corrected is attached. 

The typographical errors marked with an "A" on the attached list are found in the 
application as filed by applicant. Please charge our Credit Card in the amount of $100.00 covering 
the fee set forth in 37 CFR 1.20(a). 

The typographical errors marked with a "P" on the attached list are not in the application 
as filed by applicant. Also given on the attached list are the documents from the file history of the 
subject patent where the correct data can be found. 



Patent No.: 7,165,175 



Docket No.: 08223/000S102-US0 



The errors now sought to be corrected are inadvertent typographical errors the correction 
of which does not involve new matter or require reexamination. 

Transmitted herewith is a proposed Certificate of Correction effecting such corrections. 
Patentee respectfully solicits the granting of the requested Certificate of Correction. 

The Commissioner is authorized to charge any deficiency of up to $300.00 or credit any 
excess in this fee to Deposit Account No. 04-0100. 

Dated: February 15, 2007 RespectfiiUy submitted, 




Flynn Barrison 

Registration No.: 53,970 
DARBY & DARBY P.C. 
P.O. Box 5257 

New York, New York 10150-5257 
(212) 527-7700 
(212) 527-7701 (Fax) 
Attorneys/ Agents For Applicant 



2 



Issued Patent Proofing Form File*: 08223/00OS102-USO 
Note: P = PTO Error A = Applicant Error 


I S Serial No.: 09/656,166 US Patent No.: US 7,165,175 Bl Issue Dt.: Jan. 16, 2007 
rule: APPARATUS, SYSTEM AND METHOD FOR SELECTIVELY ENCRYPTING DIFFERENT PORTIONS OF 
DATA SENT OVER A NETWORK 


Sr. No. 


P/A 


Original 


Issued Patent 


Description of Error 


Page 


Line 


Column 


Line 


1 


P 


Sheet 1 of 3 
Information 
Disclosure 
Statement (IDS) 
Filed 

(07/29/2004) 


Entry 21 

(U.S. Patent 
Documents) 


Page 2 
Col. 1 

(U.S. Patent 
Documents) 


65 


After "6,314,409" delete "Bl" and 
insert - - B2 - -, therefor. 




P 


Sheet 2 of 3 
Information 
Disclosure 
Statement (IDS) 
Filed 

(07/29/2004) 


Entry 14 
(U.S. Patent 

Documents) 


Page 2 
Col. 2 

(U.S. Patent 
Documents) 


3 


After "6,409,080" delete "B 1" and 
insert - - B2 - -, therefor. 


3 


P 


Sheet 1 of 3 

Disclosure 
Statement (IDS) 
Filed 

(07/29/2004) 


Entry 26 
(U.S. Patent 
Documents) 


Page 2 
Col. 2 
(U.S. Patent 
Documents) 


16 


After "6,634,028" delete "Bl" and 
insert - - B2 - -, therefor. 


4 


P 


Sheet 2 of 3 
Information 
Disclosure 
Statement (IDS) 
Filed 

(07/29/2004) 


Entry 9 
(U.S. Patent 
Documents) 


Page 2 
Col. 2 

(U.S. Patent 
Documents) 


20 


After "6,654,423" delete "Bl" and 
insert - - B2 - -, therefor. 


5 


P 


Page 19 

Specification 

(09/06/2000) 


1 


10 


3 


Delete "384," and insert - - 384; - -, 
therefor. 


6 


P 


Page 20 

Specification 

(09/06/2000) 


19 


10 


61 


After "another" delete ",". 




A 


Page 3 
Claims 
(05/23/2006) 


Claim 16 
Line 1 


12 


13 


In Claim 15, after "apparatus" 
delete "in" and insert - - is - -, 
therefor. 


S 


A 


Page 13 
Claims 
(05/23/2006) 


Claim 78 
Line 5 


16 


49 


In Claim 74, delete "a" 
before "payload". 


9 


A 


Page 16 
Claims 
(05/23/2006) 


Claim 97 
Line 2 


18 


29 


In Claim 92, before "examination" 
delete "an" and insert - - on - -, 
therefor. 



PTO/SB/44 (04-05) 
Approved for use through 04/30/2007. 0MB 0651 -0033 

Under Ihe Paperwork Reduction Act of 1995, no persons are required to respond to a colection of infofmation unless It displays a valid 0MB control number. 

(Also Fomi PTO-IOSOl 

UNITED STATES PATENT AND TRADEMARK OFFICE 

CERTIFICATE OF CORRECTION 

Page J_of_L 

7,165,175 
09/656,166 
January 16, 2007 
Brafj Kollmyer et al. 



PATENT NO. 
APPLICATION NO. 
ISSUE DATE 
INVENTOR(S) 



It Is certified that art error appears or errors appear In the above-identified patent and that 
said Letters Patent is hereby corrected as shown below: 

On the Original Issued Patent: 

Page 2 Col. 1 (U.S. Patent Documents); Line 65; After "6,314,409" delete "61° and insert - - B2 - -, 
therefor. 

Page 2 Col. 2 {U.S. Patent Documents); Line 3; After "6,409,080" delete "61" and insert - - B2 - -, 
therefor. 

Page 2 Col. 2 (U.S. Patent Documents); Line 1 6; After "6,634,028" delete "61 " and insert - - B2 - -, 
therefor. 

Page 2 Coi. 2 (U.S. Patent Documents); Line 20; After "6,654,423" delete "81" and insert 
- - 62 - - , therefor. 

Column 10; Line 3; Delete "384," and insert - - 384; - -, therefor. 



MAILING ADDRESS OF SENDER (Please do not use customer number below): 
Flynn Banrison 

DARBY & DARBY P.C. 1 
P.O. Box 5257 

New York, New York 10150-5257 



Approved for um through 
ire required to respond to a cotlection of inlbrmalion unless it dteplays 



(04-05) 
COMMERCE 
(MsolHiimPTO-lOSoi 



Column 12; Line 13; In Claim 15, after "apparatus" delete "in" and insert - - Is - -, therefor. 
Column 16; line 49; In Claim 74, delete "a" before "payload". 

Column 18; Line 29; In Claim 92, before "examination' delete "an" and insert - - on - -, therefor. 



MAILING ADDRESS OF SENDER (Please do not use customer number below): 
Flynn Barrison 

DARBY & DARBY P.C. 2 
P.O. Box 5257 

New Yorl<, New York 10150-5257 



us 7,165,175 Bl 

Page 2 



U.S, PATENT DOCUMENTS 







Kudelski et si. 
























Wasilewsld 




5,539,450 A 




Kudelski ct al. 
































Adantt, Jr. ct al. 






















10/1997 






















S 774 527 A 


^1998 


Hai^^naji et al 


















380/28 


5 799 089 A 








5,805,705 A 


9/1998 


Gra et al " 












5 883 957 A 


3/1999 


Moline et al. 




















5.915,019 A 












Ginter et al. 






















7/1999 










Gledhill et al. 












5 939 975 A 








5,943,422 A 
















5,982,891 A 
















6,009,116 A 
































6.035.037 A 
























6 049 671 A 
































































6' 178 242 Bl 
















6.189,097 Bl 










2/2001 


Moriet'al. 




6!226i794 Bl 


5/2001 


Andersoji, Jr. et al. 




6.237.786 Bl 


5/2001 


Ginter et al. 




6,240,185 Bl 


5/2001 


VanWieetal. 




6,247,950 Bl 


6/2001 


Hallam et al. 




6,253,193 Bl 


6/2001 


Ginter et al. 




6,256.668 Bl 


7/2001 


Slivka et al. 




6.272,636 Bl 


8/2001 


Neville et al. 




6.285.985 Bl 


9/2001 


Horstmann 




6,292,569 Bl 


9/2001 


Shear et al. 




6.298,441 Bl 


10/2001 


Handelmajin et al. 




6.314.4091111 


11/2001 


Schneck et al. 




6,314,572 Bl 


11/2001 


LaRocca et al. 




6,334,213 Bl 


12/2001 






6,363.488 Bl 


3/2002 


Ginter el al. 





6,389,402 Bl 
6,405,369 Bl 
6.409.080 [bTI 
6,409,089 Bl 
6,424,717 Bl* 
6,427,140 Bl 
6,449,367 Bl 
6,449,651 Bl' 
6,449,719 Bl 
6,459,427 Bl 
6,466.670 Bl 
6,505,299 Bl 
6,587,561 Bl 
6,618,484 Bl 
6,629^43 Bl 
6.634.028 [bTI 
6,640,304 Bl 
6,651,170 Bl 
6,654,420 Bl 
6,654,423 [bTI 
6,658,568 Bl 
6,668,325 Bl 
6,931,532 Bl* 
2003/0007568 Al 



5/2002 Ginter etal. 

6/2002 Tsuria 

6/2002 Kawagishi 

6/2002 Eskicioglu 

7/2002 Pinderetal 380/239 

7/2002 Ginter etal. 

9/2002 VanWieetal. 

9/2002 Dorfinan et al 709/229 

9/2002 Baker 

10(2002 Mao etal. 

10/2002 Tsuria etal. 

1/2003 Zengetal. 

7/2003 Seredetal. 

9/2003 VanWieetal. 

9/2003 Kleinman et al. 

10/2003 Handelmani 

10/2003 Ginter etal. 

11/2003 Rix 

11/2003 Snook 

11/2003 Jeongetal. 

12/2003 Ginter etal. 

12/2003 CoUbeiget 

8Q005 Davis etal 

1/2003 Hameiyet 



713/167 



FOREIGN PATENT DOCUMENTS 

714204 Bl 5/1996 
WO-96/06504 Al 2/1996 
WO46/32702 Al 10/1996 



WO WO-99/54453 Al 10/1999 

WO WO-01/35571 Al 5/2001 

WO WO-02/21761 A2 3/2002 

OTHER PUBLlCAnONS 

Coverage and Generalization in an Artifcial Immune System, 
Balthiop, etal., 2002. 

Video Protection by Partial Content Corruption, C, Griwodz, Sep. 
1998. 

An Overview of Multimedia Content Protection in Consumer 
aectronics Devices, Eskicioglu et al. 

Performance Study of a Selective Enciyption Scheme for the 
Security of Networked, Real-Time Video, Spanos et al., 1995. 
Goonatilake, Suran, ed. et al., Intelligent Systems for Finance and 
Business, 1995, chapters 2-10, pp. 31-173. 
Irdeto Access and Optibase create Strategic Alliance — ^Dec. 14, 
2000, http;//www.irdetoaccess.com/press/0000041 .htm. 
System Security, Steaming Media, S. Blumenfeld, Oct. 2001. 
littp://www.cs.unm.edu/.*forest/projects.hlml, Dec. 2, 2003. 
Partial Encryption for Image and Video Communication, H. Cheng, 
1998, 

A Review of Video Streaming Over the Internet, Hunter et al., Dec. 
2, 2003. 

Standards Track, Schulzrinne, et al., Apr. 1998, pp. 1-S6. 
hltp://ww.optibase.com/html/news/December_l4_2000.html, 
Dec. 14, 2004. 

Omneon Video Networks Product Announcement, Broadband 
Streaming, pp. M. 

Yoshida, Kazuhiro, et al., "A Continuous-media Comraunication 
Method for Minimizing Playback Interraptions", IS&T/SPIE Con- 
ference on Visual Communications and Immage Processing, Jan. 
1999, San Jose, California, vol. 36». 

Communication pursuant to /Vrticle 96(2) EPC dated Jan. 26, 2006 
(for EP Application No. 01968511.4). 

PCT Notification of Transmittal Of The International Seareh 
Report) PCT/US 01/275 18; Applicant Widevine Technologies, Inc.; 
pp. 1-7. 



us 7,165,175 Bl 



10 



A firewall, for example, does not recognize or try to block 
die encrypted data stream because the transport protocols do 
not define tlie appearance of the payload part, only the 
appearance of the non-payload part. The firewall locks at the 
non-payload part including but not limited to size, routing 
and header data. If the twn-payload part data identify the 
data stream as a reply to a user request, then firewall 
determines tliat the data stream is not malicious in origin and 
will not prevent it from gping through. However, if the 
firewall is unable to parse the non-pEO^load part or does not 
recognize the non-payload part than the data will be blocked 
from passing through. 

In existing enciyption solutions where the entire data 
portion of packets is encrypted, special modifications in 
each firewall, proxy server or NAT that the data stream 
miglu pass through are necessary. That is, the firewalls, 
proxy servers and NATs would have to be updated to 
ideiitify the encrypted data. The present invention does not 
require modifications of the firewalls, proxy servers or NATs 
already deployed because it selectively encrypts the data 
pockets leaving the portions important to firewalls, proxy 
servers and NATs unchanged such that the firewall, proxy 
sen'er or NAT can pass the data stream to the intended 
target. 

Some existing encryption solutions exist that encrypt only 
tlie media portion of a data stream by placing the encryption 
software on the streaming server as a plug-in to streaming 
server software, placing a heavy processing burden on the 
streaming server. This is in contrast to a benefit of the 
invention in that the invention can be used with a plurality 
of streaming servers without modification being required to 
llie streaming servers and providing encryption whhout 
impacting the processing performance of the streaming 

Another feature of the invention is it provides a system 
[hat is independent in terms of the media format used. That 
is, the invention operates based on data protocol rather than . 
file fomiat. Multimedia streaming over networks is accom- 
plished via several protocols. The invention recognizes the 
streaming protocol and acts on the data rather than requiring 
specific identification of tlie file format being transmitted. 
Hie invention is also independent in terms of the opeiating ■ 
systems on tlie server machines since the invention requires 
no direct access to the server machines, the invention merely 
requires tliat the data streams from the streaming server pass 
tlirough the EB. 

Tlie invention further provides a client system, also , 
referred to as a decryption shim or simply a shim, which is 
a piece of transparent software that is downloaded to or 
pre -installed on the client macliine (e.g. personal computer, 
nelwoik appliance or other network capable device) and 
used to decrypt incoming data streams from the EB on its . 
way 10 the media player software. FIG. 3 is a flowchart of 
an exemplary decryption process of the decryption shim 
sofltware performed at the client machine. The process 
comprises data streams as Ihey are initiated 310; determin- 
ing whether the data is an encrypted stream 320; ignoring the > 
stream if it is not encrypted data 322; determining if the 
encryption key is current 330; n^otiating a k^ with the 
encryption bridge/source if tlie key is not current 340; 
parsing the data into payload and non-payload parts 350; 
decrypting only the payload part 360; passing the data to i 
higher level operations (e.g. the media player) 370; deter- 
mining whether tlie data is the last part of a stream 380; 



examming the operating environment for security 382; 
determining if the client environment is compromised 
(hacked, etc.) |3S4,| shutting down the data stream if the client 
is compromised 385; communicating with the encryption 
5 bridge/source 386; resuming parsing data 388; and termi- 
nating the stream if the data was the last part of the stream 
390. 

Decryption is accomplished by adding a decryption shim 
420 in a Layered Service Provider 410 in a Windows'™ 

0 sockets network architecture as shown in FIG, 4 or a streams 
plug-in 510 in a streams based network architecmre as 
shown in FIG. 5. FIG. 4 is an exemplary diagram of a 
Windows™ sockets network architecmre. In the Windows™ 
networking architecture, decryption shim 420 is the highest 

5 most Layered Service Provider (LSP) so that an additional 
LSP cannot merely spool decrypted data out into an i nsecure 
environment. This can be extrapolated to other sockets based 
networking protocols as well. FIG. 5 is an exemplary 
diagram of a streams based network architecture. The dia- 

o gram represents placement of the invention's shim 520 
within a streams based architecture 510 such as tliat 
employed by current incarnations of Mac OS™ and some 
versions of Unix. 
When a user requests data that is encjypted by the EB of 

5 the invention, the transparent software is installed via an 
Active-X™ Control, a well documented means to deliver 
executable programs to a Windows™ computer. The instal- 
lation of the decryption shim is transparent to fee user and 
does not cause a reboot, restart of the user's browser or 

0 require user interaction. Some exceptions such as the Mac 
OS™ and Windows N^" or Windows 2000™ in secure 
environments or Linux or Unix based client machines 
because transparent installation requires administrative user 
privileges on the client machine and the ability of the client 

5 machine to receive programs via the Active-X™ mecha- 

Alter the last stream has finished, the decryption shim 
uninstalls as much of itself as possible, leaving only a smal I 
layer so that administrative user privileges are not required 
0 for future decryptions. The decryption shim is installed in 
volatile memory to reduce the changes of tampering by a 
third party. 

After installation, the decryption shim decrypts only the 
data coming from the EB of Uie invention going to targeted 

5 players such as Windows MediaTw Player, QuickTime™ 
Movie Player, Real Player™, etc. Decryption does not 
impact data targeted to other applications or media streams 
that are not encrypted by the EB of the invention. 
The decryption shim runs on, for example, operatii^ 

0 systems such as Windows 95™. VWndows 98™, Windows 
ME™, Windows NT^m, Windows 2000™ as well as Mac 
OS™ and numerous Linux and Unix distributions. Where 
Active-XT" based installation is possible, the mstallation of 
the decryption shim can be accomplished with most brows- 

5 ers such as Internet Explorer™ or Netscape™. 

In sum, the EB of the invention drops in between the 
server and client and parses and encrypts a selected portion 
of the streamed data such as the media portion. As the stream 
is initiated, the decryption core is sent as part of the stream 

0 to the client side. The cHent can then decrypt the incoming 
data for the duration of the stream. If anothe{] stream is 
initiated, decryption occurs the same way. For each stream, 
the encryption keys can be set for the duration of the stream 
or changed during the stream duration to increase security. 

5 As an example, a client may request privileges to get 
streaming data fix)m a service provider's e-commerce sys- 
tem. The service provider's back-end (server infrastructure) 
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will authorize the streaming server to initiate a stream. That 
stream is initiated through the EB. Once initiated, the stream 
in parsed and selectively encrypted by the EB before being 
passed out over the network. Encryption keys are 
exchanged, for example, by the DifSe-Hellman mechanism : 
tliat is known in the field. Unique features of the invention 
inchide the parsing and selective encryption of only the 
payload pari of the data stream and the ability to plug-in 
other key exchange mechanisms and encryption algorithms 
should customer or security needs dictate. i 

It will be apparent to one of ordinary skill in the art that 
the embodiments as described above may be implemented in 
many different embodiments of software, firmware and 
hardware in the eiitities illustrated in the figures. The actual 
software code or specialized control hardware used to imple- i 
ment the present invention is not limiting of the present 
invention. Thus, the operation and behavior of the embodi- 
ments were described without specific reference to the 
specific software code or specialized hardware components, 
it being understood that a person of ordinary skill in the art 2 
would be able to design software and control hardware to 
imp lement the embodiments based on the description herein. 

Tlie invention claimed is: 

1. All apparalus for selectively encrypting data for U-ans- 
mission over a network in packets between a server and a 
client, the apparatus comprising: 

El parser configiu-ed to parse a payload portion of the data 
in a packet from a non-pay] oad portion of the packet 
data; 

an cncrypter configured to determine if the payload por- 
tion of the packet data is to be encrypted by examining 
tlie payload portion of the packet data to recognize a 
predefined data type, and if it is to be encrypted, to 
encrypt tlie payload portion of the packet data; and 

a data combiner configured to combine the encrypted 
payload portion of the packet data with the non-payload 
portion of the packet data, wherein the non-payload 
portion of the packet data includes more than routing 
information. 

2. Tlie apparatus of claim 1, wherein the packet data 
includes streaming data. 

3. The apparatus of claim 1, wherein the non-payload 
portion of tlie packet data includes at least one of a header, 
control data and routing data. 

4. The apparatus of claim 1, further comprising a trans- 
mitter configured to send tlie combined payload and non- 
payload portions of the packet data over tiie network to the 
diem. 

5. The apparatus of claim 1, ftirther comprising a receiver 5, 
configured to receive the data from the server before the data 

is sent in the packet over tlie network to the client. 

6. Tlie apparatus of claim 1, ftirther comprising a device 
configured to establish a data stream between the server and 
(he client. 5. 

7. Tlie apparatus of claim 1, furflier comprising a key 
negotiator configured to negotiate an encryption key with 
[he client. 

8. The apparatus of claim 7, wherein key negotiation and 
key exchange occur during transmission of a stream. e[ 

9. The apparatus of claim 8, wlierein the cncrypter is 
transparent to the server. 

10. Tlie apparatus of claim 7, wherein key negotiation can 
determine if the encryption key is current. 

11. The apparatus of claim 1, fijrtlier comprising a e: 
decrypter configured to decrypt the encrypted payload por- 
tion of the packet data at tlie chent. 



12. The apparatus of claim 1, wherein the parser is further 
configured to parse the packet data into different portions 
based on a media format. 

13. The apparatus of claim 1, wherein the enciypter is 
fiirther configured to encrypt the payload portion of the 
packet data based on a media format. 

14. The apparatus of claim 1, wherein the apparatus is 
implemented utilizing an application that includes a plug- 
gable core encoding an encryption algorithm for encrypting 
the payload portion of the packet data, wherein the plug- 
gable core enables the encryption algorithm to be readily 



15. The apparatus of claim 1, wherein the apparatus 
implemented on an encryption bridge. 

16. The apparatus of claim 1, wherein the payload packet 
data includes multimedia data. 

17. The apparatus of claim 1, wherein the parser is ftirther 
configured to parse the packet data into different portions 
based on a data protocol used to transmit a data stream of 
packets. 

18. The apparatus of claun 1, wherein the parser parses 
the packet data based on a data protocol. 

19. A method for selectively encrypting data in a packet 
received from a data source, the data including payload and 
non-payload portions which differ from each other in at least 
one characteristic, the received data to be subsequently sent 
over a network to a client, the method comprising: 

parsing the received packet data into portions including 
the payload and non-payload portions; 

determining if the payload portion is to be encrypted 
based on a format of the payload portion of the packet 
data by examining the payload portion of the packet 
data to recognize a predefined data type, and if it is to 
be encrypted, encrypting the payload portion of tlie 
received packet data; and 

sending the received packet data including the enciypted 
payload portion and the non-payload portion of the 
received packet data over the network to the client. 

20. The method of claim 19, wherein the data source is a 

21. The method of claim 19, further comprising deter- 
mining whether a stream is established between a server and 
the client. 

22. The method of claim 19, further comprising negoti- 
ating an encryption key with the client, 

23. The method of claim 22, wherein the received packet 
data from the data source is streaming data sent during a 
streaming session and the negotiating of the encryption key 
is carried out during the streaming session. 

24. The method of claim 22, wherein the received packet 
data from the data source is streaming data sent during a 
streaming session^ the method further comprising examining 
the client during the streaming session and terminating the 
streaming session if the encryption key on the client is 
invalid. 

25. The method of claim 22, wherein the encryption key 
is negotiated with a decryption shim on the client. 

26. The method of claim 19, further comprising deter- 
mining whether the received packet data is streammg data. 

27. The method of claim 26, further comprising parsing, 
encrypting and sending the packet data if the packet data is 
streaming data and sending the packet data if the packet data 
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58. An apparatus for selectively encrypling streaming data 
packets received from a streaming data source for transmis- 
sion over a network to a client, the apparatus comprisiDg: 

a parser configured to parse a plurality of portions of flie 
streaming data packets, wherdn the plurality of por- ; 
tions include a payload portion and a non-payload 
portion in each of the streaming data packets; 

an encrypler configured to enciypt at least the payload 
portion if it is determined, based on an examinatk)n of 
a format of the payload portion to recognize a pre- i 
defined data type, payload portion is to be encrypted, 
but not encrypt at least one other data portion of the 
plurality of data portions; and 

a data combiner configured to combine the encrypted 
payload portion with at least one unencrypted non- i 
payload data portion. 

59. The apparatus of claim 58, further comprising a 
negotiator, wherein the negotiator negotiates and exchanges 
a key witli the client before the combined packet data is 
transmitted over the network to the client, the key enabling 2 
tiie client to decrypt the encrypted payload portion of the 
packet data for play on the client. 

60. The apparatus of claim 59, wherein the streaming data 
is sent from the streaming data source during a streaming 

61. Tlie apparatus of claim 60, fiirther configured to 
perfonn actions including examining the client during the 
streaming session and terminatmg the streaming session if 
tlie client has been compromised. 

62. Tlie apparatus of claim 58, wherein the at least one 3 
unencrypted data portion of tlie packet data includes at least 
one of a header, control data and routing data. 

63. ITie apparatus of claim 58, wherein the streaming data 

64. An apparatus for selectivdy encrypting data received 3 
from a data source for transmission in packets over a 
network to a client, comprising: 

a parser configured to parse at least two portions of tiie 
packet data, at least one of the two portions of the 
packet data including more llian routing infoimation for 4 
a packet; 

an encr>'pter configured to d^ermine if a payload portion 
of the packet data is to be encrypted based on an 
examination of the payload portion the packet data to 
recognize a predefined data type, and if it is to be 4 
eiiciypted, encrypting tlie payload portion of packet 
data not including the routing information for tiie 
packet; and 

a data combiner configured to combine the parsed at least 
two portions of the packet data following encryption of 5i 
the payload portion of data not including the routing 
information for the packet. 

65. The apparatus of claim 64, wherein an unencrypted 
portion of the packet data includes at least one of a header 
and control data. 5 

66. The apparahis of claim 65, wherein the parser parses 
the data into dilFerent portions based on a data protocol used 
to transmit the data. 

67. The apparatus of claim 65, wherein the portion of the 
packet data to be encrypted includes media data encoded in & 
a media format and wherein the encrypter encrypts the 
packet data to be encrypted based on the media format. 

68. The apparahis of claim 67, wherein the apparatus is 
implemented utilizing an application that inc]u<tes a plug- 
gable core encoding an encryption algorithm for encrypting 6, 
the packet data, the pluggable core being replaceable to 
enable the encryption algorithm to be readily changed. 



69. The apparatus of claim 68, wherein the apparatus is 
implemented on an encryption bridge. 

70. An appai:atus for selectively encrypting data received 
from a data source during a downloading operation, the data 
being received fmrn the data source for transmission in 
packets over a network to a client receiving tlie downloaded 
packetized data, comprising: 

a parser configured to parse at least two portions of the 
data in a packet, wherein the packet data includes a 
payload portion and a non-payload portion; 

an encrypter configured to determine if the payload por- 
tion of the packet data is to be encrypted based on a 
format of the payload portion of pack^ data, 
wherein the format is determined based on an exami- 
nation of the payload portion of the packet data to 
recognize a predefined data type, and if it is to be 
encrypted, encrypting the payload portion of the packet 
data; and 

a data combiner configured to combine the encrypted 
payload portion of the packet data with an unencrypted 
portion of packet data for transmission over the net- 
work, 

71. The apparatus as defined ia claim 70, wherein the 
downloaded data is included in the encrypted payload por- 
tion of the packet data, 

72. The apparatus of claim 71, wherein the unaicrypted 
portion of packet data includes at least one of a header, 
control data and routing data. 

73. The apparatus of claim 72, further comprising a key 
negotiator configured to perform actions including negoti- 
ating and exchanging a key with the client before the packet 
data is sent over the network to the client, the key enabling 
the client to decrypt the encrypted payload portion of data. 

74. An apparahis for selectively encrypting data, received 
from a data source during a downloading operation and for 
selectively encrypting data received in packets from a data 
source during a streaming operation, the packet data being 
received from the data source for transmission over a 
network to a client receiving the downloaded or streaming 
data, comprising; 

a means for parsing at least two portions of the data 
included in a packet, wherein the padcet data comprises 
at least a payload portion and a non-payload portion; 

a means for determining if the payload portion of the at 
least two portions of data is to be encrypted based on 
a fonnat of the one portion of packet data that is 
determined by recognizing a predefined data type in the 
payload portion of the at least two portions, and if the 
l^payload portion of data is to be encrypted, employing 
a means for encryptmg only the payload portion of the 
at least two portions of data; and 

a means for combining the encrypted payload portion of 
the packet data with at least the unencrypted portion of 
the packet data for transmission over the network. 

75. The apparatus of claim 74, wherein during the stream- 
ing operation, the streaming data is included in the packet 
data portion that is to be encrypted. 

76. The apparatus as defined in claim 75, further com- 
prising a key negotiating means configured to negotiate and 
exchange a key with the client before the streaming data is 
sent over the network to the client, the key enabling the 
client to decrypt the encrypted payload portion of the packet 
data for play on the client. 

77. The apparatus of claim 74, further comprising a client 
examining means configured to examine the client during a 
streaming session and terminate the streaming session if the 
client has been compromised. 
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78. The apparatus of claim 77, wherein the packet data 
portion that is not encrypted includes at least one of a header, 
cunlrol data and routing data. 

79. The apparatus of claim 74, wherein during a down- 
loading operation, the downloaded data is included in the t 
packet data portion tliat is to be encrypted. 

80. The apparatus of claim 79, wlierein the data portion 
Ihti I is not encrypted includes at least one of a header, control 
data and routing data. 

81. A sliim deployed on a client, the shim comprising: i 
£1 data receiver configured to receive partially encrypted 

packet data transmitted to the client, wherein another 
device parsed the packet data into a payload portion 
and a non-payload portion and determined the payload 
portion of the packet data to be encrypted based on a i 
format of the payload portion of the packet data, 
wherein tlie format is determined by an examination of 
tliat payload portion of tlie packet data to recogiuze a 
predefined data type; 
a parser configured to parse the partially encrypted packet 2 
data to select the payload portion of the packet data to 
be decrypted; 

a decrypter configured to decrypt tiie payload portion of 
Ihe piickei data selected for decrypting by the parser; 
yud 2 

a data transmitter configured to send the decrypted padcet 
data to a higher level operation resident on the client. 

82. The shim of claim 81, wherein an encrypted portion 
of tlie transmitted packet data includes media data, the data 
transmitter being ftirther configured to send tlie decrypted 3 
media data to a media player resident on the client. 

S3. The shim of claim 82, wherein the media data is 
streaming media transmitted to the client during a streaming 

84. The shim of claim 83, wherein the imencrypted 3 
portion of the packet data includes at least one of a header, 
control data and routing data. 

85. The shim of claim 83, further comprising an analyzer 
configured to analyze a beliavior of the client to detect 
known media piracy tecliniques and to terminate the stream- 4i 
ing session if a known media piracy technique is detected. 

86. The shim of claim 83, fiirther comprising an analyzer 
configured to analyze a behavior of the client to detect 
suspicious client behavior and to terminate the streaming 
session if specific behavior is detected. 4 

87. The shim of claim 83, ftirtlier comprising an analyzer 
configured to analyze a behavior of the client to detect 
known media piracy techniques and to terminate operation 
of at least the decrypter when a media piracy technique is 



88. The shim of claim 83, further comprising an analyzer 
configured to analyze a beliavior of the client to detect 
suspicious client behavior and to terminate the operation of 
at least the decrypter if suspicious behavior is detected. 

89. The shun of claim 83, fiirther comprising a key 
n^otiator configured to negotiate and exchange a key with 
the client before the packet data is sent over the network to 
the client, the key enabling the cheat to decrypt the 
encrypted portion of the packet data for play on ihe client. 

90. The shim of claim 83, wh^ein the streaming data is 
sent to the cHait from an encryption source, the shim further 
including a key negotiator configured to negotiate and 
exchange a key with the encryption source, the key being 
used by the decrypter to decrypt the encrypted portion of the 
packet data, 

91. The shim of claim 90 wherein the key negotiator is 
further configured to carry out the negotiating and exchang- 
ing of the key with the encryption source during the stream- 
ing session. 

92. A method for providing data in packets over a net- 
woric, comprising: 

determining a plurality of poirtions of data in a packet tiiat 
includes a payload portion and a non-payload portion; 

determining if at least the payload portion of the plurality 
of portions of the packet data is to be encrypted based 
[^examination of the payload portion, wherein the 
examination is to recognize a predefined data type and 
if the payload portion is to be encrypted, selectively 
encrypting the pyload portion in the plurality of por- 
tions, wherein at least one other non-payload portion 
remains unenciypted; 

authenticating a client to receive the packet thai includes 
the selectively encrypted payload portion; and 

transmitting the packet that mcludes the selectively 
encrypted payload portion to the authenticated client. 

93. The method of claim 92, wherein authenticating the 
client further comprises tiie client acc^ting a shim trans- 
milted from a server that is selectively encrypting the 
payload portion, and wherem the shim is configured to send 
back a confirmation. 

94. The method of claim 92, wherein authenticating the 
client fiirther comprises the client transmitting a self-gener- 
ated certificate. 



